Hi Steve,
>> But anyway, whatever it takes (and it won't be rocket science -pun;), we
>> will add any bits needed to allow this. NASA is a magical word in my
>> ears;)
>
> Great! ;) Also, I plan to make the core of my app open
> source, once I have gone through all the NASA hoops to
> release it, so hopefully it will be more than just a
> nice-sounding thing ... maybe something actually useful
> to others! :)
Sounds good!
The "model driven software development" (MDS .. roughly) perspective,
and how WAMP could take a role there, is very interesting for a number
of reasons. I had discussions with guys from big corps that a much into
the MDS, and like to start creating systems from formally defining WAMP
interfaces, and then components, etc.
Maybe this isn't exactly what you are working on, but it seems related
.. please keep me updated on your efforts.
> Actually, our app is not browser-based but rather a desktop GUI
> app that we are creating using PyQt5 and Autobahn-Python's
> twisted API (plus qt5reactor). My programming team (and myself)
Ahh. I see. PyQt is really nice, yes. Qt is nice, but it comes with the
C++ baggage which is mostly "no gain, but pain" for desktop apps these
days. But using Qt from Python to the rescue;)
FWIW, as a correlate, there is also a thing called Kivy with a slightly
different focus, but also nice
https://kivy.org/
Works with Autobahn and Crossbar.io (they have Twisted integration):
https://github.com/crossbario/crossbar-examples/tree/master/kivy
> do not like javascript -- we want to do everything in Python. ;)
=)
It is so sad that Brendan Eich only had like 10 days to come up a
scripting lang for browsers, and didn't consider Python. We all would be
living in a better world now. Anyways. Lost cause.
Personally, I want to get into Typescript more to get around the defects
of JS. Well, if I find time.
>
> We already have a version of our app that can authenticate to
> crossbar over the "ticket-based authentication" (based on that
> crossbar example code) and do rpc and pub/sub.
>
> What you describe below for the protocol sounds correct as far
> as I understand Kerberos/SPNEGO -- but just substitute "GUI client"
> everywhere you have "browser".
Ok, this simplifies things. Because it doesn't need to piggyback on the
initial HTTP handshake.
I think it can be done today, in AB and CB, with WAMP-Ticket and dynamic
authenticators.
Your Python desktop app opens a connection to Crossbar.io (CB). This can
be WebSocket or RawSocket. Doesn't matter, because the Kerberos thing is
hooked on top of the WAMP authentication message exchange (not the HTTP
handshake as would be needed for browsers).
The app starts joining, announcing WAMP-Ticket as the only authmethod it
is willing to do:
HELLO message from app -> CB
Crossbar.io will check if it was configured for WAMP-Ticket, and if so,
answer that with a CHALLENGE message CB -> app.
Sidenote: if you need to provide additional challenge info at this
point, we can do that, but it needs some new code.
The app will use GSSAPI to talk to Kerberos and construct a Kerberos
"Service Ticket" for the target CB/realm.
The app will then answer the CHALLENGE message with AUTHENTICATE,
providing the above "Service Ticket".
CB will invoke your dynamic authenticator, and this can check the
provided Service Ticket locally then (again via GSSAPI).
---
Unless I have overlooked sth, above should work today in AB/CB.
I'd watch out for 2 things:
a) blocking stuff in python-gssapi: if this lib is blocking, probably
deferToThread the respective blocking calls
b) AUTHENTICATE.Signature
https://github.com/crossbario/autobahn-python/blob/master/autobahn/wamp/message.py#L1003
is where the Kereberos Service Ticket will be transmitted.
And since this field wants a string type (not bytes), you probably will
have to encode the Kerberos ticket with base64 or something. No big
deal, and not performance relevant.
>
> Once Crossbar support Kerberos authentication, I am sure
> there will be lots of organizations that will want to
> use it for browser applications, and it should work the same.
I agree with that. It is one piece in the puzzle that will make it
easier for big coprs/orgs to use CB.
I have created an issue
https://github.com/crossbario/crossbar/issues/1045
> Again, I really appreciate your interest and willingness to look
> into this! I think it can potentially enable a large domain
> of internal enterprise applications of Crossbar and Autobahn,
> and possibly bring you some customers. ;)
Absolutely;)
Cheers,
/Tobias